Friday, December 05, 2014

These rules are useful if you want to allow or deny access to an application based on whether the authenticated user has a particular claim or not.

So I had a situation where there was a workflow involved and a user could not have access until they had been validated by an administrator.

So I created a claim called:

"http://company.com/claims/Validated"

(Remember, these are URI not URL!).

Then in the Issuance Transform Rules tab, I had the normal LDAP rule to create the claim from an AD attribute and in the Issuance Authorization Rules tab I had a rule that said that if that claim had a value of "True" than allow access. I deleted the default "Allow access to anyone" rule.

Problem was - it didn't work?

Had a chat with Mr. Google (and it was a long chat!) and eventually figured out that each tab stands on its own i.e. there is no cross-pollination between them. The fact that you have a rule in one tab means nothing in another.

Tuesday, September 23, 2014

Playing around with ADFS 3.0 on Server 2012 R2 and found yet another difference with ADFS 2.x.

Imagine you have a number of .NET applications going via ADFS as a RP-STS going to another IP-STS.

Now on the IP-STS you want to know which RP the authentication request is coming from.

All the ADFS requests are coming through one channel so parameters like "Referer: " are useless.

In your RP web.config you can add a parameter like wreply or wtrealm as per wsFederation.

You'll see these in the URL going to ADFS in the &wctx section. But there's nothing going to the IP-STS. ADFS "removes" them. Instead there is a &wctx which is a GUID.

And there is a cookie on the way which looks like:

MSISContextc1da81dd-46b6-4cee-b051-9c0e7a298527=xxxyyy==

where xxxyyy is Base64 encoded.

In ADFS 2.0, there was an entry in the web.config which told ADFS not to encode this information in a cookie but to send it as part of the query string - which makes for a lll-oon-nnn-ggg query string!

It seems counter-intuitive. wauth is a WS-Fed protocol element not a SAML one but ADFS obviously has the intelligence to pass this through to the SAML IDP in the AuthnContext.

What happens if your RP is SharePoint. Sadly, in this case you are fresh out of options. There are many references to this on the web but nobody appears to have a solution.

You pretty much have to add a proxy to add this element or speak nicely to your IDP provider!

Essentially you have to deconstruct the AuthnRequest, add the AuthnContext stuff and then put it all back together. That's basically just vanilla XML manipulation. However, if the agreement is that the AuthnRequest has to be signed, it's a whole new ballgame. You now have to get your hands on the private key of the SP signing certificate and read the SAML specifications to see which part of the AuthnRequest needs to be the signing input.

If you have certificate rollover set in ADFS, you again are screwed, The signing certificate is not in the certificate store. It's some weird combination of a certificate container in AD, a blob in one of the attributes and a link to the ADFS configuration database.

In this case, turn rollover off, generate your own certificates, place them in the certificate store in the usual manner and you are good to go. Remember to give the application account access to the private key. If that's all Greek, refer:

Thursday, May 29, 2014

Apologies for the title but there doesn't seem to be a standard for what the R2 version of ADFS is called so I included them all to ease the Google / Bing / Duck Duck Go search

If there's one question that has become flavour of the month lately this is it. There are many questions around customising the logon / login / sign on pages.

Some of them refer to customising the pages for Multi-Factor Authentication (MFA). Just remember that you can now do this with a Microsoft solution. Refer: Azure Multi-Factor Authentication. Note that this doesn't have to be cloud based. There is an on-premise variation.

In ADFS 2.0, the functionality was implemented as a web site running on IIS so you could customise to your heart's content changing the .aspx and the .cs pages.

My guess is that some people who didn't really understand the implications of what they were doing customised the pages in sub-standard ways and things went wrong and Microsoft copped the blame for pushing a crap product.

Remember - security in a web application is hard - writing a security application is even harder,

So in ADFS 3.0 this was all locked down. The biggest change was that it no longer uses IIS.

Wednesday, May 28, 2014

When you use VS 2013 and choose the web application option and then change the authentication options to use organisational accounts, you get a lot of template code which shows you some of the attributes in the user profile derived from Azure Active Directory (AAD).

You can see this if you click on the name of the logged-in user once the application is running and you have authenticated.

Wednesday, April 16, 2014

But I've always battled to get it to display exactly where I want and tracking around the zoomed screen is a nightmare.

Then I figured out that before you hit "Ctrl / 1" to zoom, put the cursor at the middle of the section you want to zoom.

Then zoom.

You can make minor adjustments by moving the mouse, use the trackwheel to zoom in / out, click the left mouse button to "stabilise" and then you are in the "Ctrl / 2" window by default so "Ctrl / Shift" will draw an arrow etc.

And it would be remiss of me not to point out that you can do this in Windows via the built-in commands. In a browser, type "Windows key" and then "+" to zoom out and then "Windows key" and then "-" to zoom back in. This is in fact the Magnifier tool.

OK so we create a new project but select "Other languages / Visual Basic / Web. Then select "ASP.NET Web Forms Application". You could go MVC - I'm more at home with Forms (Yeah - I know :-) ).

OK, that gives us the base project. Now use the "Identity and Access Tool" to "bind" your application to ADFS or wherever. Many references of the web to do this - it's language agnostic. And remember to add your new application as a RP in ADFS.

When you run up your application, you should be prompted for the logon screen.

Sweet!

Now in Step 2 in the above link, add the html exactly as described to Default.aspx.

There are two kinds of attributes in AD viz. single valued and multi-valued. The latter obviously can have more than one value.

You can see the difference when you try and edit them. Single-valued has a single textbook while multi-valued has a textbox to enter a new value and a multi-line textbox to show all the current values.

If you look at a multi-valued attribute in AD using ADUC, you'll see it displayed as:

value1;value2;value3

Note: This is different to a single value attribute that contains the string:

value1 value2 value3

That's a string of ONE value which is"value1 value2 value3".

How do you find them.

Use ldp, click on the Base DN of "CN=Schema ..." and then run:

(isSingleValued=FALSE)

I couldn't find any under the "objectClass=user" category but there are some if you have added the AD extension attributes to the schema i.e. the ones that start with "msExch ...".

All of which is a segue into how ADFS handles this. It produces a new claim (of the same type) for each value.

So if you took the above and mapped them to a claim of type Values, you'll get:

Wednesday, January 08, 2014

Busy developing a web site (ASP.NET, C#, Windows Forms, .NET Framework 4) and I got some security gurus to help do some security / penetration testing.

The site has some forms where you enter user details into text boxes. This is stored in a DB. You can search for users and the results are displayed in a grid e.g. first name, last name, email, roles etc.

So if you entered some Javascript into the last name text box e.g.

script Alert ('XSS error'); /script

(insert your own angle brackets!)

this would be written to the DB and when the grid displayed the next tine, you would see the Alert - the dreaded XSS syndrome.

Microsoft has a library to handle this - the somewhat maligned AntiXSS.